使用 KQL 'let' 将两个查询合并到同一个 table
Using KQL 'let' to combine two queries in the same table
我正在尝试学习 KQL 并有一个查询,我想从中获取 2 个值 Windows 事件代码 4624(登录)和 4634(注销)和 return 它们用于不同的场景我我还在努力建造。
但主要是我希望能够 return table(打印或项目?)
中的值
let login = SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == '4624'
| project loginTime = TimeGenerated;
let logout = SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == '4634'
| project logoutTime = TimeGenerated;
print login
我收到的错误是“'project' 运算符:无法解析名为 'login' 的标量表达式”
我最希望看到的是:
loginTime | logoutTime
----------------------------------------------
01/02/2021 18:46:30 | 01/02/2021 18:45:45
01/02/2021 18:47:30 | 01/02/2021 18:47:45
01/02/2021 18:48:30 | 01/02/2021 18:48:45
联合会更好吗?它在同一个table(SecurityEvent)中,所以我认为可以这样做吗?
数据集来自 MS 提供的 Azure 门户:https://portal.azure.com/#blade/Microsoft_Azure_Monitoring_Logs/DemoLogsBlade
感谢您的帮助!
问题是“登录”是 table 类型,但 print
需要标量类型。
let login = SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == '4624'
| project loginTime = TimeGenerated;
let logout = SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == '4634'
| project logoutTime = TimeGenerated;
print toscalar (login)
至于你想要得到的结果,我想这可能是你需要的:
已更新以改进 clarity/perf
let login = SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == '4624'
| project TargetLogonId, loginTime = TimeGenerated;
let logout = SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == '4634'
| project TargetLogonId, logoutTime = TimeGenerated;
login
| join kind=leftouter logout on TargetLogonId
| project loginTime, logoutTime
我添加了一些包含@GenericUser 和@Slavik-N 建议的更改,并显示了我想要计算的信息:
let login = SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == '4624'
| where AccountType == 'User'
| project Computer,Account ,TargetLogonId, loginTime = TimeGenerated;
let logout = SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == '4634'
| where AccountType == 'User'
| project Computer,Account,TargetLogonId, logoutTime = TimeGenerated;
login
| join kind=inner logout on TargetLogonId
| project Computer,Account,loginTime, logoutTime, minute = datetime_diff('minute',logoutTime,loginTime)
| where minute >0
| sort by minute desc
我正在尝试学习 KQL 并有一个查询,我想从中获取 2 个值 Windows 事件代码 4624(登录)和 4634(注销)和 return 它们用于不同的场景我我还在努力建造。
但主要是我希望能够 return table(打印或项目?)
中的值let login = SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == '4624'
| project loginTime = TimeGenerated;
let logout = SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == '4634'
| project logoutTime = TimeGenerated;
print login
我收到的错误是“'project' 运算符:无法解析名为 'login' 的标量表达式”
我最希望看到的是:
loginTime | logoutTime
----------------------------------------------
01/02/2021 18:46:30 | 01/02/2021 18:45:45
01/02/2021 18:47:30 | 01/02/2021 18:47:45
01/02/2021 18:48:30 | 01/02/2021 18:48:45
联合会更好吗?它在同一个table(SecurityEvent)中,所以我认为可以这样做吗?
数据集来自 MS 提供的 Azure 门户:https://portal.azure.com/#blade/Microsoft_Azure_Monitoring_Logs/DemoLogsBlade
感谢您的帮助!
问题是“登录”是 table 类型,但 print
需要标量类型。
let login = SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == '4624'
| project loginTime = TimeGenerated;
let logout = SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == '4634'
| project logoutTime = TimeGenerated;
print toscalar (login)
至于你想要得到的结果,我想这可能是你需要的:
已更新以改进 clarity/perf
let login = SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == '4624'
| project TargetLogonId, loginTime = TimeGenerated;
let logout = SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == '4634'
| project TargetLogonId, logoutTime = TimeGenerated;
login
| join kind=leftouter logout on TargetLogonId
| project loginTime, logoutTime
我添加了一些包含@GenericUser 和@Slavik-N 建议的更改,并显示了我想要计算的信息:
let login = SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == '4624'
| where AccountType == 'User'
| project Computer,Account ,TargetLogonId, loginTime = TimeGenerated;
let logout = SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == '4634'
| where AccountType == 'User'
| project Computer,Account,TargetLogonId, logoutTime = TimeGenerated;
login
| join kind=inner logout on TargetLogonId
| project Computer,Account,loginTime, logoutTime, minute = datetime_diff('minute',logoutTime,loginTime)
| where minute >0
| sort by minute desc